Register contents at startup

Register contents at startup

Author

Message

Infamous#1 / 2

Register contents at startup

When you run a windows 32bit application (PE), what are the register contents? cs obviously points to code, ds to data, ss to stack, but what about es, gs, fs, if the model wasn't flat? At the start of one program, I saw: mov eax, dword fs:[00000000] Anyone know, or where I could find out?

> When you run a windows 32bit application (PE), what are the register contents? > cs obviously points to code, ds to data, ss to stack, but what about es, gs, > fs, if the model wasn't flat? > At the start of one program, I saw: > mov eax, dword fs:[00000000] > Anyone know, or where I could find out?

es should be an alias to ds i think, fs points to the TIB (thread info block), i don't *think* gs point's to anything special but i really don't know for shore. The TIB lock something like this: